[rtcweb] Continuing to assert username/password (Re: FW: Adopting draft-muthu-behave-consent-freshness?)
Harald Alvestrand <harald@alvestrand.no> Tue, 17 September 2013 08:34 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F92011E83AD for <rtcweb@ietfa.amsl.com>; Tue, 17 Sep 2013 01:34:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.299
X-Spam-Level:
X-Spam-Status: No, score=-110.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42Ws1-O29Atz for <rtcweb@ietfa.amsl.com>; Tue, 17 Sep 2013 01:34:15 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2F511E83AC for <rtcweb@ietf.org>; Tue, 17 Sep 2013 01:34:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id D27CE39E3E4 for <rtcweb@ietf.org>; Tue, 17 Sep 2013 10:34:12 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05Fue+p2gsP4 for <rtcweb@ietf.org>; Tue, 17 Sep 2013 10:34:11 +0200 (CEST)
Received: from hta-hippo.lul.corp.google.com (unknown [IPv6:2620:0:1043:1:7646:a0ff:fe90:e2bb]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 2D59239E246 for <rtcweb@ietf.org>; Tue, 17 Sep 2013 10:34:11 +0200 (CEST)
Message-ID: <52381402.8070400@alvestrand.no>
Date: Tue, 17 Sep 2013 10:34:10 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <E92E67B176B8B64D8D3A8F5E44E9D8F41FF743A0@xmb-aln-x05.cisco.com>
In-Reply-To: <E92E67B176B8B64D8D3A8F5E44E9D8F41FF743A0@xmb-aln-x05.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: [rtcweb] Continuing to assert username/password (Re: FW: Adopting draft-muthu-behave-consent-freshness?)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 08:34:19 -0000
Changing subject line in order to make life easier for those who try to review comments on the original subject.... On 09/17/2013 07:10 AM, Ram Mohan R (rmohanr) wrote: > Hi Please see inline > > -----Original Message----- > From: Jessie <Lijing>, "Huawei)" <lijing80@huawei.com> > Date: Thursday, 12 September 2013 1:27 PM > To: "rtcweb@ietf.org" <rtcweb@ietf.org> > Subject: [rtcweb] FW: Adopting draft-muthu-behave-consent-freshness? > >> Hi all, >> >> As a newcomer to RTCWEB, I have some doubts after I have read the draft. >> >> 1. in "4. Solution Overview", may be it would be better to clarify when >> to send a STUN Binding Request(in the middle of a media session or before >> sending traffic, during sending traffic or only during silence periods) >> and which side to send the request(controlling agent or both sides)? > The introduction section explains when consent is needed. During the > initial call setup ICE connectivity checks are used. This mechanism > described in this document is for periodic consent after initial sessions > is setup. > >> 2. in " 7. Security Considerations", there are the following words. As >> when one agent receives STUN Binding Request, unlike the processing of >> indication message, it have to do more processes to send the Response >> message, I am not sure whether it is appreciate not to authenticate the >> source and respond directly. Is it more open to malicious attacks? > I am not clear on what you asking here. The below text just tells that > there is no need to re-asserting the username/password that was sent > initially during ICE checks. Are you saying this can lead to attacks ? If > yes can you explain on what you meant in detail ? The text below is wrong. If, as is commonly the case, an attacker has the ability to inject packets on the wire with the same IP address as the victim, the attacker can forge ICE packets. If the victim's correspondent checks MESSAGE-INTEGRITY (which implicitly checks username and password), he will detect that these packets don't have the correct authorization, and throw them away. If the victim's correspondent does not check MESSAGE-INTEGRITY, the attacker can keep renewing any consent to receive as long as he wants, even though the victim wanted to stop consenting. Since the whole purpose of consent-freshness is to allow the potential victim to stop consenting to receiving traffic, checking MESSAGE-INTEGRITY (which implictily checks username and password) is necessary. This whole paragraph should be deleted from the "Security Considerations" section and replaced with text properly describing the situation. > > Ram > >> "Once that connection to the remote >> peer has been established with ICE, the consent to continue sending >> traffic does not benefit from re-asserting that same username and >> password, so long as the senders and receiver's IP addresses remain >> the same (as they usually do)." >> >> Neglect my words, if my understandings are wrong. >> >> Best regards, >> >> Jessie >> >> -----Original Message----- >> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf >> Of Magnus Westerlund >> Sent: Monday, September 09, 2013 4:37 PM >> To: rtcweb@ietf.org >> Subject: [rtcweb] Adopting draft-muthu-behave-consent-freshness? >> >> WG, >> >> This is a call for WG adoption of STUN Usage for Consent Freshness >> (draft-muthu-behave-consent-freshness-04). This document defines a STUN >> usage for consent freshness. As this requires no protocol extensions we >> as intended users can define this usage in our WG. Such work also >> matches our charter. The draft-ietf-rtcweb-security-arch-07 is >> normatively dependent on this STUN usage. >> >> Document: >> https://datatracker.ietf.org/doc/draft-muthu-behave-consent-freshness/ >> >> WG, please indicate your support or issues with adopting this document >> as WG item with a proposed milestone: >> >> Mar 2014 Send STUN Usage for Consent Freshness to IESG for publication >> as proposed standard. >> >> Cheers >> >> Magnus Westerlund >> >> ---------------------------------------------------------------------- >> Multimedia Technologies, Ericsson Research EAB/TVM >> ---------------------------------------------------------------------- >> Ericsson AB | Phone +46 10 7148287 >> Färögatan 6 | Mobile +46 73 0949079 >> SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com >> ---------------------------------------------------------------------- >> >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Adopting draft-muthu-behave-consent-fres… Magnus Westerlund
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Simon Perreault
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Harald Alvestrand
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Christer Holmberg
- [rtcweb] Consent freshness in the light of no-SDE… Harald Alvestrand
- Re: [rtcweb] Consent freshness in the light of no… Christer Holmberg
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Alfred E. Heggestad
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Bernard Aboba
- Re: [rtcweb] consent freshness vs. circuit breake… Bernard Aboba
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Charles Eckel (eckelcu)
- Re: [rtcweb] Consent freshness in the light of no… Martin Thomson
- Re: [rtcweb] Consent freshness in the light of no… Martin Thomson
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Martin Thomson
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Gonzalo Salgueiro (gsalguei)
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Victor Pascual
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Timothy B. Terriberry
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Eric Rescorla
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Mishra, Sanjay
- Re: [rtcweb] consent freshness vs. circuit breake… Dan Wing
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Lijing (Jessie, Huawei)
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Mishra, Sanjay
- [rtcweb] FW: Adopting draft-muthu-behave-consent-… Lijing (Jessie, Huawei)
- Re: [rtcweb] FW: Adopting draft-muthu-behave-cons… Ram Mohan R (rmohanr)
- [rtcweb] Continuing to assert username/password (… Harald Alvestrand
- Re: [rtcweb] Adopting draft-muthu-behave-consent-… Magnus Westerlund
- Re: [rtcweb] Continuing to assert username/passwo… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Continuing to assert username/passwo… Harald Alvestrand
- Re: [rtcweb] Continuing to assert username/passwo… Tirumaleswar Reddy (tireddy)